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CLAIMS 

1. A method for irspecting an encrypted data stream being transferred 
over a network between two endpoints, the data stream being encrypted using a 
session key known to both enopoints, the method comprising: 

securely transferring the session key from one of the endpoints to an 
intermediary having access to the encrypted data stream; 

decrypting the encrypte i data stream at the intermediary using the session 
key; and 

inspecting the data stream following decryption. 

2. A method as recited in claim 1, wherein securely transferring 
comprises: 

encrypting the session key using a public key associated with the 
intermediary; and 

sending the encrypted session key to the intermediary. 



3, A method asj recited in claim 1, wherein securely transferring 
comprises: 

encrypting the session key using a public key associated with the 
intermediary; 

signing the encrypted session key using a private key associated with the 

intermediary; and f 

sending the signecj and encrypted session key to the intermediary, 
i 
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4. A method\as recited in claim 1, further comprising storing the data 
stream at the intermediar 



5. A method for inspecting an encrypted data stream being transferred 
over a network between two\endpoints and via an intermediary, the data stream 
being encrypted using a sespion key known to both endpoints, the method 
comprising: 

storing a public key fro|n a public/private key pair associated with one of 
the endpoints at a key storage; 

storing a public key frbm a public/private key pair associated with the 
intermediary at the key storage; 

obtaining, at said one enjdpoint, the intermediary's public key from the key 
storage; 

encrypting, at said one Jendpoint, the session key using the intermediary's 
public key to produce an encrypted session key; 

encrypting, at said one| endpoint, the encrypted session key using a private 
key from the public private key pair associated with said one endpoint to produce 
a signed encrypted session key; 

passing the signed encrypted session key to the intermediary; 

obtaining, at the intermediary, the one endpoint' s public key from the key 
storage; 

decrypting, at the intermediary, the signed encrypted session key using the 
one endpoint's public key! to return the encrypted session key; 

decrypting, at the intermediary, the encrypted session key using the 
intermediary's private key to return the session key; and 
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using the session ksy at the intermediary to decrypt the encrypted data 



stream. 



6. In a network system in which an encrypted data stream is transferred 
over a network between twp endpoints and via an intermediary, the data stream 
being encrypted using a session key known to both endpoints, computer-readable 
media at one of the endpoin s and at the intermediary storing computer^executable 
instructions for performing tjne method as recited in claim 5. 



7. In a network! system having an external client that exchanges 
encrypted data with an external client over a network and through a firewall 
intermediate of the internal and external clients, the encrypted data being 
encrypted using a session key known to the internal and external clients, a method 
executed at the firewall comprising: 

receiving an encrypted and signed session key from the internal client, the 
encrypted and signed session key bearing a digital signature of the internal client; 

authenticating thg digital signature as belonging to the internal client; 

decrypting the sefssion key; and 

decrypting the encrypted data being exchanged between the internal and 
external clients using tl e session key. 
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8. A method as recited in claim 7, wherein the encrypted and signed 
session key is encrypted \ sing a public key from a public/private key pair 
associated with the firewall, and the decrypting comprises decrypting the session 
key using a private key from me pubic/private key pair. 

9. A method as recited in claim 7, further comprising inspecting the data 
in an unencrypted form. 

10. A method as recited in claim 7, further comprising storing the data 
in an unencrypted form. 

11. In a network /system having an external client that exchanges 
encrypted data with an external client over a network and through a firewall 
intermediate of the interribl and external clients, the encrypted data being 
encrypted using a sessioiJ key known to the internal and external clients, a 
computer-readable medium resident at the firewall storing computer-executable 
instructions for performing method asfjrecited in claim 7. j> r 



12. A network/system comprising: 

an internal cliefjt and an external client configured to communicate 
encrypted data over a detwork using virtual private network communication, the 
data being encrypted using a session key; 

an intermediary maving access to the encrypted data being communicated 
between the internal client and the external client; 
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the internal client bqing configured to securely transfer the session key to 
the intermediary; and 

the intermediary bein^ configured to decrypt the data using the session key 
and to inspect the data. 

13. A network systqm as recited in claim 12, wherein the internal client 
encrypts the session key prior/to sending it to the intermediary. 

14. A network system as recited in claim 12, wherein the internal client 
encrypts and signs the sessioti key prior to sending it to the intermediary. 

15. A network system as recited in claim 12, wherein the intermediary 
stores the data in unencrypted form. 

16. A software architecture for a network system having two endpoints 
that exchange encrypted pata over a network and through an intermediary, the 
encrypted data being eijcrypted using a session key known to the endpoints, 
comprising: 

endpoint-residenf code to encrypt the session key using a public key from a 
public/private key pair/associated with the intermediary and to sign the encrypted 
session key with a digital signature, the endpoint-resident code being capable of 
sending the signed and encrypted session key to the intermediary; and 

intermediary-resident code to authenticate the digital signature and decrypt 
the encrypted session \ey using a private key from the public/private key pair 
associated with the intermediary, the intermediary-resident code using the session 
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key to decrypt the encrypted data as it is being exchanged between the two 
endpoints. 



17. A software ^architecture as recited in claim 16, wherein 
intermediary-resident code in spects the data in unencrypted form. 



18. A software 
intermediary-resident code stores 



19. In a network 



architecture as recited in claim 16, wherein 
the data in unencrypted form. 



system having an external client that exchanges 
encrypted data with an external client over a network and through a firewall 
intermediate of the internal and external clients, the encrypted data being 
encrypted using a session key known to the internal and external clients, 
computer-readable media distributed at the internal client and the firewall storing 
computer-executable instruct ions for: 

encrypting the sessioi key at the internal client; 

signing the encrypted session key with a digital signature associated with 
the internal client; / 

passing the signed dnd encrypted session key to the intermediary; 
authenticating, at fhe intermediary, the digital signature of the internal 

client; 

decrypting the session key at the intermediary; 

intermediary, the encrypted data using the session key; 



5, at the 



decrypting, at the 



and 



inspecting the data i\route between the internal and external clients. 
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20. -*^firanetwork system in which an encrypted data stream is transferred 
over a network between two endpoints and via an intermediary, the data stream 
being encrypted using a session key known to both endpoints, computer-readable 
media at one of the endpoints ^nd at the intermediary storing computer-executable 
instructions for: 

securely transferring fhe session key from one of the endpoints to an 
intermediary having access to the encrypted data stream; 

decrypting the encrypted data stream at the intermediary using the session 
key; and 

inspecting the data stream following decryption. 
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